stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

Add unit tests for PhpFrameworkSurface and PhpPharScanner
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Details
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Details
Findings Ledger CI / build-test (push) Has been cancelled
Details
Findings Ledger CI / migration-validation (push) Has been cancelled
Details
Manifest Integrity / Validate Schema Integrity (push) Has been cancelled
Details
Manifest Integrity / Validate Contract Documents (push) Has been cancelled
Details
Manifest Integrity / Validate Pack Fixtures (push) Has been cancelled
Details
Manifest Integrity / Audit SHA256SUMS Files (push) Has been cancelled
Details
Manifest Integrity / Verify Merkle Roots (push) Has been cancelled
Details
Findings Ledger CI / generate-manifest (push) Has been cancelled
Details

Browse Source 
- Implement comprehensive tests for PhpFrameworkSurface, covering scenarios such as empty surfaces, presence of routes, controllers, middlewares, CLI commands, cron jobs, and event listeners.
- Validate metadata creation for route counts, HTTP methods, protected and public routes, and route patterns.
- Introduce tests for PhpPharScanner, including handling of non-existent files, null or empty paths, invalid PHAR files, and minimal PHAR structures.
- Ensure correct computation of SHA256 for valid PHAR files and validate the properties of PhpPharArchive, PhpPharEntry, and PhpPharScanResult.
This commit is contained in:
StellaOps Bot
2025-12-07 13:44:13 +02:00
parent af30fc322f
commit 965cbf9574
49 changed files with 11935 additions and 152 deletions
Download Patch File Download Diff File Expand all files Collapse all files

554
docs/schemas/findings-ledger-api.openapi.yaml
View File

@@ -219,6 +219,240 @@ paths:
schema:
$ref: '#/components/schemas/AttestationListResponse'
/findings/{findingId}/attestation-pointers:
get:
operationId: getFindingAttestationPointers
summary: Get attestation pointers linking finding to verification reports and attestation envelopes
description: |
Returns all attestation pointers for a finding. Attestation pointers link findings
to verification reports, DSSE envelopes, SLSA provenance, VEX attestations, and other
cryptographic evidence for explainability and audit trails.
tags: [findings, attestation]
parameters:
- $ref: '#/components/parameters/FindingId'
- $ref: '#/components/parameters/TenantId'
responses:
'200':
description: List of attestation pointers
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/AttestationPointer'
examples:
verified_finding:
summary: Finding with verified DSSE envelope
value:
- pointer_id: "a1b2c3d4-5678-90ab-cdef-123456789abc"
finding_id: "f1234567-89ab-cdef-0123-456789abcdef"
attestation_type: "DsseEnvelope"
relationship: "VerifiedBy"
attestation_ref:
digest: "sha256:abc123def456789012345678901234567890123456789012345678901234abcd"
storage_uri: "s3://attestations/envelope.json"
payload_type: "application/vnd.in-toto+json"
predicate_type: "https://slsa.dev/provenance/v1"
signer_info:
issuer: "https://fulcio.sigstore.dev"
subject: "build@stella-ops.org"
verification_result:
verified: true
verified_at: "2025-01-01T12:00:00Z"
verifier: "cosign"
verifier_version: "2.2.3"
checks:
- check_type: "SignatureValid"
passed: true
- check_type: "CertificateValid"
passed: true
created_at: "2025-01-01T10:00:00Z"
created_by: "scanner-service"
'400':
$ref: '#/components/responses/BadRequest'
'404':
$ref: '#/components/responses/NotFound'
/findings/{findingId}/attestation-summary:
get:
operationId: getFindingAttestationSummary
summary: Get summary of attestations for a finding
description: Returns aggregate counts and verification status for all attestations linked to a finding.
tags: [findings, attestation]
parameters:
- $ref: '#/components/parameters/FindingId'
- $ref: '#/components/parameters/TenantId'
responses:
'200':
description: Attestation summary
content:
application/json:
schema:
$ref: '#/components/schemas/AttestationSummary'
examples:
partially_verified:
summary: Finding with mixed verification status
value:
finding_id: "f1234567-89ab-cdef-0123-456789abcdef"
attestation_count: 3
verified_count: 2
latest_attestation: "2025-01-01T12:00:00Z"
attestation_types: ["DsseEnvelope", "SlsaProvenance", "VexAttestation"]
overall_verification_status: "PartiallyVerified"
'400':
$ref: '#/components/responses/BadRequest'
/attestation-pointers:
post:
operationId: createAttestationPointer
summary: Create an attestation pointer linking a finding to an attestation artifact
description: |
Creates a pointer linking a finding to a verification report, DSSE envelope, or other
attestation artifact. This enables explainability and cryptographic audit trails.
The operation is idempotent - creating the same pointer twice returns the existing record.
tags: [attestation]
parameters:
- $ref: '#/components/parameters/TenantId'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreateAttestationPointerRequest'
examples:
dsse_envelope:
summary: Link finding to DSSE envelope
value:
finding_id: "f1234567-89ab-cdef-0123-456789abcdef"
attestation_type: "DsseEnvelope"
relationship: "VerifiedBy"
attestation_ref:
digest: "sha256:abc123def456789012345678901234567890123456789012345678901234abcd"
storage_uri: "s3://attestations/envelope.json"
payload_type: "application/vnd.in-toto+json"
predicate_type: "https://slsa.dev/provenance/v1"
verification_result:
verified: true
verified_at: "2025-01-01T12:00:00Z"
verifier: "cosign"
responses:
'201':
description: Attestation pointer created
content:
application/json:
schema:
$ref: '#/components/schemas/CreateAttestationPointerResponse'
headers:
Location:
schema:
type: string
format: uri
'200':
description: Attestation pointer already exists (idempotent)
content:
application/json:
schema:
$ref: '#/components/schemas/CreateAttestationPointerResponse'
'400':
$ref: '#/components/responses/BadRequest'
/attestation-pointers/{pointerId}:
get:
operationId: getAttestationPointer
summary: Get attestation pointer by ID
tags: [attestation]
parameters:
- name: pointerId
in: path
required: true
schema:
type: string
format: uuid
- $ref: '#/components/parameters/TenantId'
responses:
'200':
description: Attestation pointer details
content:
application/json:
schema:
$ref: '#/components/schemas/AttestationPointer'
'404':
$ref: '#/components/responses/NotFound'
/attestation-pointers/{pointerId}/verification:
put:
operationId: updateAttestationPointerVerification
summary: Update verification result for an attestation pointer
description: Updates or adds verification result to an existing attestation pointer.
tags: [attestation]
parameters:
- name: pointerId
in: path
required: true
schema:
type: string
format: uuid
- $ref: '#/components/parameters/TenantId'
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- verification_result
properties:
verification_result:
$ref: '#/components/schemas/VerificationResult'
responses:
'204':
description: Verification result updated
'404':
$ref: '#/components/responses/NotFound'
/attestation-pointers/search:
post:
operationId: searchAttestationPointers
summary: Search attestation pointers with filters
description: |
Search for attestation pointers across findings using various filters.
Useful for auditing, compliance reporting, and finding findings with specific
attestation characteristics.
tags: [attestation]
parameters:
- $ref: '#/components/parameters/TenantId'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/AttestationPointerSearchRequest'
examples:
find_verified:
summary: Find all verified attestation pointers
value:
verification_status: "Verified"
limit: 100
find_by_type:
summary: Find SLSA provenance attestations
value:
attestation_types: ["SlsaProvenance"]
created_after: "2025-01-01T00:00:00Z"
find_by_signer:
summary: Find attestations by signer identity
value:
signer_identity: "build@stella-ops.org"
verification_status: "Verified"
responses:
'200':
description: Search results
content:
application/json:
schema:
$ref: '#/components/schemas/AttestationPointerSearchResponse'
'400':
$ref: '#/components/responses/BadRequest'
/findings/{findingId}/history:
get:
operationId: getFindingHistory
@@ -776,6 +1010,326 @@ components:
total_count:
type: integer
AttestationPointer:
type: object
required:
- pointer_id
- finding_id
- attestation_type
- relationship
- attestation_ref
- created_at
- created_by
properties:
pointer_id:
type: string
format: uuid
finding_id:
type: string
attestation_type:
type: string
enum:
- VerificationReport
- DsseEnvelope
- SlsaProvenance
- VexAttestation
- SbomAttestation
- ScanAttestation
- PolicyAttestation
- ApprovalAttestation
relationship:
type: string
enum:
- VerifiedBy
- AttestedBy
- SignedBy
- ApprovedBy
- DerivedFrom
attestation_ref:
$ref: '#/components/schemas/AttestationRefDetail'
verification_result:
$ref: '#/components/schemas/VerificationResult'
created_at:
type: string
format: date-time
created_by:
type: string
metadata:
type: object
additionalProperties: true
ledger_event_id:
type: string
format: uuid
AttestationRefDetail:
type: object
required:
- digest
properties:
digest:
type: string
pattern: '^sha256:[a-f0-9]{64}$'
attestation_id:
type: string
format: uuid
storage_uri:
type: string
format: uri
payload_type:
type: string
description: DSSE payload type (e.g., application/vnd.in-toto+json)
predicate_type:
type: string
description: SLSA/in-toto predicate type URI
subject_digests:
type: array
items:
type: string
description: Digests of subjects covered by this attestation
signer_info:
$ref: '#/components/schemas/SignerInfo'
rekor_entry:
$ref: '#/components/schemas/RekorEntryRef'
SignerInfo:
type: object
properties:
key_id:
type: string
issuer:
type: string
description: OIDC issuer for keyless signing
subject:
type: string
description: OIDC subject/identity
certificate_chain:
type: array
items:
type: string
signed_at:
type: string
format: date-time
RekorEntryRef:
type: object
properties:
log_index:
type: integer
format: int64
log_id:
type: string
uuid:
type: string
integrated_time:
type: integer
format: int64
description: Unix timestamp when entry was integrated into the log
VerificationResult:
type: object
required:
- verified
- verified_at
properties:
verified:
type: boolean
verified_at:
type: string
format: date-time
verifier:
type: string
description: Verification tool name (e.g., cosign, notation)
verifier_version:
type: string
policy_ref:
type: string
description: Reference to verification policy used
checks:
type: array
items:
$ref: '#/components/schemas/VerificationCheck'
warnings:
type: array
items:
type: string
errors:
type: array
items:
type: string
VerificationCheck:
type: object
required:
- check_type
- passed
properties:
check_type:
type: string
enum:
- SignatureValid
- CertificateValid
- CertificateNotExpired
- CertificateNotRevoked
- RekorEntryValid
- TimestampValid
- PolicyMet
- IdentityVerified
- IssuerTrusted
passed:
type: boolean
details:
type: string
evidence:
type: object
additionalProperties: true
AttestationSummary:
type: object
required:
- finding_id
- attestation_count
- verified_count
- attestation_types
- overall_verification_status
properties:
finding_id:
type: string
attestation_count:
type: integer
verified_count:
type: integer
latest_attestation:
type: string
format: date-time
attestation_types:
type: array
items:
type: string
overall_verification_status:
type: string
enum:
- AllVerified
- PartiallyVerified
- NoneVerified
- NoAttestations
CreateAttestationPointerRequest:
type: object
required:
- finding_id
- attestation_type
- relationship
- attestation_ref
properties:
finding_id:
type: string
attestation_type:
type: string
enum:
- VerificationReport
- DsseEnvelope
- SlsaProvenance
- VexAttestation
- SbomAttestation
- ScanAttestation
- PolicyAttestation
- ApprovalAttestation
relationship:
type: string
enum:
- VerifiedBy
- AttestedBy
- SignedBy
- ApprovedBy
- DerivedFrom
attestation_ref:
$ref: '#/components/schemas/AttestationRefDetail'
verification_result:
$ref: '#/components/schemas/VerificationResult'
created_by:
type: string
metadata:
type: object
additionalProperties: true
CreateAttestationPointerResponse:
type: object
required:
- success
properties:
success:
type: boolean
pointer_id:
type: string
format: uuid
ledger_event_id:
type: string
format: uuid
error:
type: string
AttestationPointerSearchRequest:
type: object
properties:
finding_ids:
type: array
items:
type: string
attestation_types:
type: array
items:
type: string
enum:
- VerificationReport
- DsseEnvelope
- SlsaProvenance
- VexAttestation
- SbomAttestation
- ScanAttestation
- PolicyAttestation
- ApprovalAttestation
verification_status:
type: string
enum:
- Any
- Verified
- Unverified
- Failed
created_after:
type: string
format: date-time
created_before:
type: string
format: date-time
signer_identity:
type: string
description: Filter by signer subject/identity
predicate_type:
type: string
description: Filter by SLSA/in-toto predicate type
limit:
type: integer
minimum: 1
maximum: 1000
default: 100
offset:
type: integer
minimum: 0
default: 0
AttestationPointerSearchResponse:
type: object
required:
- pointers
- total_count
properties:
pointers:
type: array
items:
$ref: '#/components/schemas/AttestationPointer'
total_count:
type: integer
HistoryListResponse:
type: object
required: